JSON Web Tokens are representations of claims, or authorization proofs that fit into the Header of HTTP requests.

How?

JWTs are used as the MAC of operations that require authorization:

• block proposal
• transaction proposal.

They are send alongside the JSON request body in the Header;

Authorization: Bearer aaaaaa.bbbbbb.ccccc

Gradecoin uses 3 fields for the JWTs;

{
"tha": "Hash of the payload, check invididual references",
"iat": "Issued At, Unix Time",
"exp": "Expiration Time, epoch"
}

• tha is explained in blocks and transactions documentations.
• iat when the JWT was created in Unix Time format
• exp when the JWT will expire & be rejected in Unix Time

Algorithm

We are using RS256, RSASSA-PKCS1-v1_5 using SHA-256. The JWTs you encode with your private RSA key will be decoded using the public key you have authenticated with. You can see how the process works here.

References

• RFC, the ultimate reference
• JWT Debugger